Load list error: error SyntaxError: The URI is malformed.

[toonn]

I've been getting this error and I can't figure out what the problem is. Exact error message: Load list error: error SyntaxError: The URI is malformed.

Access log entries:

192.168.0.251 - - [23/Jul/2018:15:08:34 +0200] "GET / HTTP/1.1" 200 7146 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:34 +0200] "GET /css/fonts.css HTTP/1.1" 200 2805 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:34 +0200] "GET /all.css?v=1524209778 HTTP/1.1" 200 89622 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:34 +0200] "GET /images/remove.png HTTP/1.1" 200 259 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:34 +0200] "GET /images/search.png HTTP/1.1" 200 418 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:34 +0200] "GET /all.js?v=1524209778 HTTP/1.1" 200 375868 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:35 +0200] "GET /images/bg.gif HTTP/1.1" 200 1174 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:35 +0200] "GET /fonts/OpenSans-Regular-webfont.woff HTTP/1.1" 200 19624 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:35 +0200] "GET /images/nav-mobile-logo.png HTTP/1.1" 200 5432 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:35 +0200] "GET /images/nav-mobile-settings.png HTTP/1.1" 200 3919 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.0.251 - - [23/Jul/2018:15:08:35 +0200] "GET /fonts/OpenSans-Bold-webfont.woff HTTP/1.1" 200 19788 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"

There are no recent error log entries.

[jtojnar]

When does the error happen? What do you see if you execute $('base').attr('href') + 'sources' in your browser console (F12).

[toonn]

Ah, that was the problem. I'd specified the server_name with a wildcard: selfoss.*.

I want selfoss available under multiple domains though, is this possible?

[jtojnar]

No idea. selfoss will just use SERVER_NAME received from the server:

https://github.com/SSilence/selfoss/blob/c72e9c4d056f613405c9368eaa130ee1faeead12/helpers/View.php#L66

[toonn]

Hmm, too bad. Seems like that makes what I want to do impossible without replicating the server block for each server_name : / Would it be hard to patch so selfoss uses the actual domain used to reach it?

[niol]

Often selfoss does not even get the url used to reach it (setup behind reverse proxy). What is this server_name variable? nginx config? webserver config seems mandatory in order to handle multiple virtualhosts, but I'm not familiar with nginx. If you want selfoss to try to guess the url, leave base_url empty. If this does not work properly, please send in:

• a description of your setup
• the 4th line of the selfoss home source (<base href="https://foo.bar/selfoss" />)

[toonn]

Yes it's nginx config. Any way for this to work right behind a reverse proxy? The transmission webui has no problems with this setup so I'm just not sure why selfoss does.

[jtojnar]

Switching https://github.com/SSilence/selfoss/blob/c72e9c4d056f613405c9368eaa130ee1faeead12/helpers/View.php#L66 to HTTP_HOST might work. Security implications need to be considered though.

[niol]

Again, did you try with base_url empty?

[toonn]

@niol I have no idea which base_url you're referring to? But it sounds like you'd just be specifying a path which is equivalent at least security-wise to what @jtojnar's suggesting I think.

[niol]

If you want selfoss to try to guess the url, leave base_url in selfoss config.ini empty. If this does not work properly, please send in:

• a description of your setup
• a table with the 4th line of the selfoss home source (<base href="https://foo.bar/selfoss" />) and the url selfoss was accessed.

[toonn]

@jtojnar Your suggestion worked, modulo some header manipulation in the reverse proxy. What are the security implications and why is it not this way in the first place?

[jtojnar]

The value of $_SERVER['HTTP_HOST'] comes from HTTP Host header. The return value of getBaseUrl is used in the HTML so this can cause XSS. Not sure if it can be exploited by an attacker or it is just self-XSS.

[jtojnar]

Apparently, the main vector is HTTP cache poisoning: https://security.stackexchange.com/questions/48249/host-header-attacks Since we actually use it for base href, the only way to fix that would be checking a FQDN white-list.

It would probably be better to make nginx set server_name correctly, though I am not sure how.

[mrossw]

Hi ! Not sure this the right place but I just wanted to mention i had to remove the trailing slash from the base in helpers/View.php's getBaseUrl to have versions 2.17 to work on my setup (shared hosting in webfaction, which, i believe, uses apache+nginx) ... 2.18 is another story ... 4th line of source was : <base href="http://rssn.mrossw.webfactional.com//" /> And I had the "Load list error: noErrorFound"

[jtojnar]

If you include fastcgi.conf shipped with nginx, SERVER_NAME should be set properly:

https://github.com/nginx/nginx/blob/60ca13f98846bb1140359972d42276db88f4a409/conf/fastcgi.conf#L23